background image

Intelligence Gathering

19

later use. 

Nmap

 lets you scan hosts to identify the services running on each, 

any of which might offer a way in.

For this example, let’s leave 

secmaniac.net

 behind and turn to the virtual 

machine described in Appendix A, with IP address 172.16.32.131. Before we 
get started, take a quick look at the basic 

nmap

 syntax by entering 

nmap

 from 

the command line on your Back|Track machine. 

You’ll see immediately that 

nmap

 has a quite a few options, but you’ll use 

just a few of them for the most part.

One of our preferred 

nmap

 options is 

-sS

. This runs a stealth TCP scan 

that determines whether a specific TCP-based port is open. Another preferred 
option is 

-Pn

, which tells 

nmap

 not to use 

ping

 to determine whether a system 

is running; instead, it considers all hosts “alive.” If you’re performing Internet-
based penetration tests, you should use this flag, because most networks 
don’t allow Internet Control Message Protocol (ICMP), which is the protocol 
that 

ping

 uses. If you’re performing this scan internally, you can probably 

ignore this flag.

Now let’s run a quick 

nmap

 scan against our Windows XP machine using 

both the 

-sS

 and 

-Pn

 flags.

root@bt:~# 

nmap -sS -Pn 172.16.32.131

Nmap scan report for 172.16.32.131
Host is up (0.00057s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1433/tcp open  ms-sql-s
3389/tcp open  ms-term-serv
Nmap done: 1 IP address (1 host up) scanned in 14.34 seconds

As you can see, 

nmap

 reports a list of open ports, along with a description 

of the associated service for each.

For more detail, try using the 

-A

 flag. This option will attempt advanced 

service enumeration and banner grabbing, which may give you even more 
details about the target system. For example, here’s what we’d see if we were 
to call 

nmap

 with the 

-sS

 and 

-A

 flags, using our same target system:

root@bt:~# 

nmap -Pn -sS -A 172.16.32.131

Nmap scan report for 172.16.32.131
Host is up (0.0035s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds